Pages

Tuesday, 27 November 2012

Privacy commissioners of Australia and New Zealand said they need more enforcement authority to combat data breaches and other privacy concerns.

Whilst we agree data breaches can be a cause of identity theft it is the lack of legislation that will allow Police to charge employees who steal data and breach privacy that is at odds with the commissioners enforcement requirements.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Data theft by employees is at epidemic levels and continues to increase. Imposing hefty fines on a small business due to a security breach by an employee only serves to further damage the effected business and does not prevent continuing occurrences.

Employees are completely immune from prosecution by Police if they steal data or any IP belonging to the company they are employed by.

There are civil remedies however a small to medium size business, whose primary asset is data, is usually so financially devastated by such a theft they cannot afford to fund litigation. The thief benefits from the theft, breaches the employers privacy policy with its customers and potentially causes additional loss for the business when it is fined under the proposed Bill.

To injunct a thief costs about $50,000.00 plus an additional surety over costs of up to $150,000.00. Most small businesses cannot afford this impost and the distraction of a usually protracted legal battle.

If the proposed Bill is to have any impact at all it must be supported by legislation that will allow Police to charge employees who misuse authorised access, to a computer or computer system, to steal data from their employers.

Most businesses, including big business are completely unaware that if an employee, or in fact anybody who has been provided access to their business steals data, they cannot be prosecuted by Police.

64 percent of respondents believe that the majority of recent security attacks have involved the exploitation of privileged account access.

Recent high-profile security attacks, such as the RSA and Global Payments data breaches, have made an impact on security strategies this year:

When asked if they were rethinking security strategies based on these high profile breaches, more than half said yes (51 percent).

Respondents were asked to rank their 2012 IT security priorities in order of importance:

Vulnerability Management (17 percent)

Privileged Identity Management (16 percent)

Security Information and Event Monitoring (SIEM) (15 percent)

Anti-Virus/Malware (13 percent).

Despite growing awareness of the privileged connection in cyber-attacks and the increasing insider threat, some businesses are failing to uphold their responsibility for securing customer and similar sensitive information:

43 percent of respondents stated that their organizations do not monitor the use of privileged accounts or were unsure of whether they did.

Of those organizations that monitor privileged access, 52 percent of respondents believe they can get around the current controls.

Current legislative and regulatory efforts to curb data breaches have proven ineffective to date: